Re: The HTTP Origin Header (draft-abarth-origin)

On Thu, Jan 22, 2009 at 6:29 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> The feature of "defend themselves against CSRF by identifying
> the referral page" is satisfied by "don't allow requests that
> lack an appropriate Referer".  Your estimate that it would also
> block some 3% of false negatives does not lessen its defense.
> The 3% would get an error message in response.

These 3% of potential users would be unable to use the Web site.  In
talking with folks who run large Web sites, I've been told that
excluding 3% of your potential customers is not acceptable.

> Your claims are based on the assumption that those very same
> 3% proxies will forward the Origin header unchanged.

This is not an assumption.  In April 2008, measured how often various
headers were suppressed for 283,945 browsers who viewed an
advertisement we placed with a minor ad network.  We observed that the
Referer header was suppressed for approximately 3% of requests whereas
the Origin header was only suppressed 0.029-0.047% of requests (95%
confidence).  For more detailed results and a description of the
methedology, please see Section 4.2.1 of
http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf

> Your assumption is wrong.

What evidence do you have to back up this claim?

> The proxies that remove request headers
> today are the ones that remove all request headers and rewrite
> each request on their own terms

These proxies do not appear to be nearly as common as proxies that
strip the Referer header.

Adam

Received on Friday, 23 January 2009 03:52:29 UTC